Wednesday, February 18, 2015

Build your own combined OpenVPN/WiKID server for a VPN with built-in two-factor authentication using Packer

In past tutorials, we have added one-time passwords to OpenVPN and
created a WiKID server using Packer. In this tutorial we create a
combined OpenVPN/WiKID server using Packer. Packer allows us to create
VMware, VirtualBox, EC2, GCE, Docker, etc images using code. Note that
combining your two-factor authentication server and VPN server on one
box may or may not be the best solution for you. We typically like
separation of duties for security and flexibility. However, if you need
something fast - the PCI auditors arrive Monday - or you are in a
repressive state and just need a secure outbound connection for a short
period of time. And you still have some flexibility. You can add more
services to the WiKID server. You can disable the OpenVPN server and
instead switch to a different VPN.

Build the Combined Server

First, download and install Packer.
Checkout our Packer scripts from GitHub.
The scripts consist of a main JSON file that tells Packer what do it,
an http directory with Anaconda build scripts, a files directory that
gets uploaded to the image and provisioners that run after the image is
built. Basically Packer starts with some source such as an ISO or AMI,
builds the server based on Anaconda (at least for CentOS), uploads any
files and then runs the provisioners. Packer is primarily geared toward
creating idempotent servers. In our case, we are using it to execute the
commands, allowing us to run one command instead of about 50 (just for
the provisioning).
Before building, you need to edit a few files. First, edit /files/vars. This is the standard vars file for creating the OpenVPN certs. Just enter your values for the cert fields.

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="US"
export KEY_PROVINCE="GA"
export KEY_CITY="Atlanta"
export KEY_ORG="WiKID Systems Inc"
export KEY_EMAIL="me@wikidsystems.com"
export KEY_OU="WiKID Systems, Inc"

Next, you need to edit the shared secret in /files/server.
This file will tell PAM which RADIUS server to use. In this case, it is
talking straight to the WiKID server. The shared secret is used to
encode the radius traffic. Since WiKID is running on the same server,
keep the localhost as the server:

# server[:port] shared_secret timeout (s)
127.0.0.1 secret 3

You will need this shared secret later.
Take a look in centos-6-x86-64.json. You can run it as is, but
you might like to edit a few things. You should confirm the source_ami
(the listed ami is in the US-East) or switch it to one of your preferred
CentOS AMIs. If you are building on VMware or VirtualBox, you will want
to change the iso_url to the location of the CentOS ISO on your hard
drive and update the MD5Sum. You may want to edit the names and
descriptions. You may also want to change the EC2 region. Most
importantly, you can change the ssh_password which is the root password.
Once you are happy with the JSON file, you can verify it with Packer:

$packer_location/packer verify centos-6-x86-64.json

If that works, build it. You can specify the target platform on the command line:

If you watch the commands run, you will see a complete OpenVPN server being built complete with fresh certificates!

Configure the WiKID two-factor authentication server

Once it is created, you will need to launch the AMI or import the
virtual machine. Start VirtBox and select File, Import Appliance. Point
it to output-virtualbox-iso directory created by the build command and
open the OVF file. Make any changes you may want to the virtual machine
(eg memory or network) and start the server.
Login using root/wikid or whatever you may have set the root password as in the JSON file. We will be configuring the WiKID server using the quick-start configuration option. Copy the file to the current directory:

cp /opt/WiKID/conf/sample-quick-setup.properties wikid.conf

Edit wikid.conf per those instructions. Use the external IP address
of your server or EC2 instance zero-padded as the domaincode. So,
54.163.165.73 becomes 054163165073. For the RADIUS host use the
localhost and the shared secret you created in /files/server above:

information for setting up a RADIUS host
radiushostip=127.0.0.1
radiushostsecret=secret
; *NOTE*: YOU SHOULD REMOVE THIS SETTING AFTER CONFIGURATION FOR SECURITY

If you are on a VM, you can configure the network by running:

wikidctl setup

On EC2, you can just configure the WiKID server:

wikidctl quick-setup configfile=wikid.conf

You will see configuration information scroll past. Start the WiKID server:

wikidctl start

You will be prompted for the passphrase you set in wikid.conf. Browse
to the WIKIDAdmin interface at https://yourserver.com/WiKIDAdmin/ and
you should see your domain created, your radius network client
configured and all the required certs completed.
Before leaving the server, you should add your username as an account
on the server with 'useradd $username'. There is no need to add a
password.

Register the WiKID Software token

Download a WiKID software token or install one for iOS or Android from the apps stores.
Start the token and select "Add a Domain". Enter the domain
identifier code you set in wikid.conf and you should be double-prompted
to set your PIN. Do so and you will get back a registration code. Go to
the WiKIDAdmin web UI and click on the Users Tab, then Manually Validate
a User. Click on your registration code and enter your username. This
process associates the token (and the keys that were exchanged) with the
user.